I have a repository which uses ReactJS and has 39 vulnerabilities (all of them are in yarn.lock file) when I am on the master branch. Dev branch and a few other branches are many more commits ahead of this master and there are a ton more dependencies and most of them are outdated as of now. However, even when I switch the branch on GitHub (when I switch to Dev or something else), it still shows the same 39 vulnerabilities.
So, does that mean GitHub is showing the vulnerabilities for the entire project in all the branches? Do I have to set some setting to look at the alerts/vulnerabilities only for the current branch? Or does it mean that all of the branches have the same vulnerabilities?
Thanks in advance.
Found the simplest way to deal with this situation - Go to "settings" of the repository and change the default branch to the current branch. This will not affect anything unless you have some sort of trigger in place to deploy the current default branch.
Once you get that done, dependabot should be able to scan for vulnerabilities and give you the results. You can flip it how many ever times you'd like.